suricata
detect-isdataat.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * Implements isdataat keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 #include "detect-engine.h"
30 #include "detect-parse.h"
31 #include "app-layer.h"
32 
33 #include "util-unittest.h"
34 #include "util-unittest-helper.h"
35 
36 #include "detect-isdataat.h"
37 #include "detect-content.h"
38 #include "detect-uricontent.h"
39 #include "detect-engine-build.h"
40 
41 #include "flow.h"
42 #include "flow-var.h"
43 
44 #include "util-debug.h"
45 #include "util-byte.h"
46 #include "detect-pcre.h"
47 #include "detect-byte.h"
48 
49 /**
50  * \brief Regex for parsing our isdataat options
51  */
52 #define PARSE_REGEX "^\\s*!?([^\\s,]+)\\s*(,\\s*relative)?\\s*(,\\s*rawbytes\\s*)?\\s*$"
53 
54 static DetectParseRegex parse_regex;
55 
56 int DetectIsdataatSetup (DetectEngineCtx *, Signature *, const char *);
57 #ifdef UNITTESTS
58 static void DetectIsdataatRegisterTests(void);
59 #endif
60 void DetectIsdataatFree(DetectEngineCtx *, void *);
61 
62 static int DetectEndsWithSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr);
63 
64 /**
65  * \brief Registration function for isdataat: keyword
66  */
68 {
69  sigmatch_table[DETECT_ISDATAAT].name = "isdataat";
70  sigmatch_table[DETECT_ISDATAAT].desc = "check if there is still data at a specific part of the payload";
71  sigmatch_table[DETECT_ISDATAAT].url = "/rules/payload-keywords.html#isdataat";
72  /* match is handled in DetectEngineContentInspection() */
76 #ifdef UNITTESTS
77  sigmatch_table[DETECT_ISDATAAT].RegisterTests = DetectIsdataatRegisterTests;
78 #endif
79  sigmatch_table[DETECT_ENDS_WITH].name = "endswith";
80  sigmatch_table[DETECT_ENDS_WITH].desc = "make sure the previous content matches exactly at the end of the buffer";
81  sigmatch_table[DETECT_ENDS_WITH].url = "/rules/payload-keywords.html#endswith";
82  sigmatch_table[DETECT_ENDS_WITH].Setup = DetectEndsWithSetup;
84 
85  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
86 }
87 
88 /**
89  * \brief This function is used to parse isdataat options passed via isdataat: keyword
90  *
91  * \param de_ctx Pointer to the detection engine context
92  * \param isdataatstr Pointer to the user provided isdataat options
93  *
94  * \retval idad pointer to DetectIsdataatData on success
95  * \retval NULL on failure
96  */
97 static DetectIsdataatData *DetectIsdataatParse (DetectEngineCtx *de_ctx, const char *isdataatstr, char **offset)
98 {
99  DetectIsdataatData *idad = NULL;
100  char *args[3] = {NULL,NULL,NULL};
101  int res = 0;
102  size_t pcre2_len;
103  int i=0;
104 
105  pcre2_match_data *match = NULL;
106  int ret = DetectParsePcreExec(&parse_regex, &match, isdataatstr, 0, 0);
107  if (ret < 1 || ret > 4) {
108  SCLogError("pcre_exec parse error, ret %" PRId32 ", string %s", ret, isdataatstr);
109  goto error;
110  }
111 
112  if (ret > 1) {
113  const char *str_ptr;
114  res = pcre2_substring_get_bynumber(match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
115  if (res < 0) {
116  SCLogError("pcre2_substring_get_bynumber failed");
117  goto error;
118  }
119  args[0] = (char *)str_ptr;
120 
121 
122  if (ret > 2) {
123  res = pcre2_substring_get_bynumber(match, 2, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
124  if (res < 0) {
125  SCLogError("pcre2_substring_get_bynumber failed");
126  goto error;
127  }
128  args[1] = (char *)str_ptr;
129  }
130  if (ret > 3) {
131  res = pcre2_substring_get_bynumber(match, 3, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
132  if (res < 0) {
133  SCLogError("pcre2_substring_get_bynumber failed");
134  goto error;
135  }
136  args[2] = (char *)str_ptr;
137  }
138 
139  idad = SCMalloc(sizeof(DetectIsdataatData));
140  if (unlikely(idad == NULL))
141  goto error;
142 
143  idad->flags = 0;
144  idad->dataat = 0;
145 
146  if (args[0][0] != '-' && isalpha((unsigned char)args[0][0])) {
147  if (offset == NULL) {
148  SCLogError("isdataat supplied with "
149  "var name for offset. \"offset\" argument supplied to "
150  "this function has to be non-NULL");
151  goto error;
152  }
153  *offset = SCStrdup(args[0]);
154  if (*offset == NULL)
155  goto error;
156  } else {
157  if (StringParseUint16(&idad->dataat, 10,
158  strlen(args[0]), args[0]) < 0 ) {
159  SCLogError("isdataat out of range");
160  SCFree(idad);
161  idad = NULL;
162  goto error;
163  }
164  }
165 
166  if (args[1] !=NULL) {
167  idad->flags |= ISDATAAT_RELATIVE;
168 
169  if(args[2] !=NULL)
170  idad->flags |= ISDATAAT_RAWBYTES;
171  }
172 
173  if (isdataatstr[0] == '!') {
174  idad->flags |= ISDATAAT_NEGATED;
175  }
176 
177  for (i = 0; i < (ret -1); i++) {
178  if (args[i] != NULL)
179  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
180  }
181 
182  pcre2_match_data_free(match);
183  return idad;
184 
185  }
186 
187 error:
188  if (match) {
189  pcre2_match_data_free(match);
190  }
191  for (i = 0; i < (ret -1) && i < 3; i++){
192  if (args[i] != NULL)
193  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
194  }
195 
196  if (idad != NULL)
197  DetectIsdataatFree(de_ctx, idad);
198  return NULL;
199 
200 }
201 
202 /**
203  * \brief This function is used to add the parsed isdataatdata into the current
204  * signature.
205  * \param de_ctx pointer to the Detection Engine Context
206  * \param s pointer to the Current Signature
207  * \param isdataatstr pointer to the user provided isdataat options
208  *
209  * \retval 0 on Success
210  * \retval -1 on Failure
211  */
212 int DetectIsdataatSetup (DetectEngineCtx *de_ctx, Signature *s, const char *isdataatstr)
213 {
214  SigMatch *sm = NULL;
215  SigMatch *prev_pm = NULL;
216  DetectIsdataatData *idad = NULL;
217  char *offset = NULL;
218  int ret = -1;
219 
220  idad = DetectIsdataatParse(de_ctx, isdataatstr, &offset);
221  if (idad == NULL)
222  return -1;
223 
224  int sm_list;
225  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
226  if (DetectBufferGetActiveList(de_ctx, s) == -1)
227  goto end;
228  sm_list = s->init_data->list;
229 
230  if (idad->flags & ISDATAAT_RELATIVE) {
232  }
233  } else if (idad->flags & ISDATAAT_RELATIVE) {
234  prev_pm = DetectGetLastSMFromLists(s,
238  if (prev_pm == NULL)
239  sm_list = DETECT_SM_LIST_PMATCH;
240  else {
241  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
242  if (sm_list < 0)
243  goto end;
244  }
245  } else {
246  sm_list = DETECT_SM_LIST_PMATCH;
247  }
248 
249  if (offset != NULL) {
250  DetectByteIndexType index;
251  if (!DetectByteRetrieveSMVar(offset, s, &index)) {
252  SCLogError("Unknown byte_extract var "
253  "seen in isdataat - %s\n",
254  offset);
255  goto end;
256  }
257  idad->dataat = index;
258  idad->flags |= ISDATAAT_OFFSET_VAR;
259  SCLogDebug("isdataat uses byte_extract with local id %u", idad->dataat);
260  SCFree(offset);
261  offset = NULL;
262  }
263 
264  /* 'ends with' scenario */
265  if (prev_pm != NULL && prev_pm->type == DETECT_CONTENT &&
266  idad->dataat == 1 &&
268  {
269  DetectIsdataatFree(de_ctx, idad);
270  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
272  ret = 0;
273  goto end;
274  }
275 
276  sm = SigMatchAlloc();
277  if (sm == NULL)
278  goto end;
279  sm->type = DETECT_ISDATAAT;
280  sm->ctx = (SigMatchCtx *)idad;
281  SigMatchAppendSMToList(s, sm, sm_list);
282 
283  if (!(idad->flags & ISDATAAT_RELATIVE)) {
284  ret = 0;
285  goto end;
286  }
287 
288  if (prev_pm == NULL) {
289  ret = 0;
290  goto end;
291  }
292 
293  if (prev_pm->type == DETECT_CONTENT) {
294  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
296  } else if (prev_pm->type == DETECT_PCRE) {
297  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
299  }
300 
301  ret = 0;
302 
303 end:
304  if (offset)
305  SCFree(offset);
306  if (ret != 0)
307  DetectIsdataatFree(de_ctx, idad);
308  return ret;
309 }
310 
311 /**
312  * \brief this function will free memory associated with DetectIsdataatData
313  *
314  * \param idad pointer to DetectIsdataatData
315  */
317 {
318  DetectIsdataatData *idad = (DetectIsdataatData *)ptr;
319  SCFree(idad);
320 }
321 
322 static int DetectEndsWithSetup (DetectEngineCtx *de_ctx, Signature *s, const char *nullstr)
323 {
324  SigMatch *pm = NULL;
325  int ret = -1;
326 
327  /* retrieve the sm to apply the depth against */
329  if (pm == NULL) {
330  SCLogError("endswith needs a "
331  "preceding content option");
332  goto end;
333  }
334 
335  /* verify other conditions. */
337 
339 
340  ret = 0;
341  end:
342  return ret;
343 }
344 
345 #ifdef UNITTESTS
346 static int g_dce_stub_data_buffer_id = 0;
347 
348 /**
349  * \test DetectIsdataatTestParse01 is a test to make sure that we return a correct IsdataatData structure
350  * when given valid isdataat opt
351  */
352 static int DetectIsdataatTestParse01 (void)
353 {
354  int result = 0;
355  DetectIsdataatData *idad = NULL;
356  idad = DetectIsdataatParse(NULL, "30 ", NULL);
357  if (idad != NULL) {
358  DetectIsdataatFree(NULL, idad);
359  result = 1;
360  }
361 
362  return result;
363 }
364 
365 /**
366  * \test DetectIsdataatTestParse02 is a test to make sure that we return a correct IsdataatData structure
367  * when given valid isdataat opt
368  */
369 static int DetectIsdataatTestParse02 (void)
370 {
371  int result = 0;
372  DetectIsdataatData *idad = NULL;
373  idad = DetectIsdataatParse(NULL, "30 , relative", NULL);
374  if (idad != NULL && idad->flags & ISDATAAT_RELATIVE && !(idad->flags & ISDATAAT_RAWBYTES)) {
375  DetectIsdataatFree(NULL, idad);
376  result = 1;
377  }
378 
379  return result;
380 }
381 
382 /**
383  * \test DetectIsdataatTestParse03 is a test to make sure that we return a correct IsdataatData structure
384  * when given valid isdataat opt
385  */
386 static int DetectIsdataatTestParse03 (void)
387 {
388  int result = 0;
389  DetectIsdataatData *idad = NULL;
390  idad = DetectIsdataatParse(NULL, "30,relative, rawbytes ", NULL);
391  if (idad != NULL && idad->flags & ISDATAAT_RELATIVE && idad->flags & ISDATAAT_RAWBYTES) {
392  DetectIsdataatFree(NULL, idad);
393  result = 1;
394  }
395 
396  return result;
397 }
398 
399 /**
400  * \test Test isdataat option for dce sig.
401  */
402 static int DetectIsdataatTestParse04(void)
403 {
404  Signature *s = SigAlloc();
405  FAIL_IF_NULL(s);
406 
408 
409  FAIL_IF_NOT(DetectIsdataatSetup(NULL, s, "30") == 0);
410  SigMatch *sm = DetectBufferGetFirstSigMatch(s, g_dce_stub_data_buffer_id);
411  FAIL_IF_NOT_NULL(sm);
413  SigFree(NULL, s);
414 
415  s = SigAlloc();
416  FAIL_IF_NULL(s);
418  /* relative w/o preceeding match defaults to "pmatch" */
419  FAIL_IF_NOT(DetectIsdataatSetup(NULL, s, "30,relative") == 0);
420  sm = DetectBufferGetFirstSigMatch(s, g_dce_stub_data_buffer_id);
421  FAIL_IF_NOT_NULL(sm);
423 
424  SigFree(NULL, s);
425  PASS;
426 }
427 
428 static int DetectIsdataatTestParse06(void)
429 {
431  FAIL_IF(de_ctx == NULL);
432  de_ctx->flags |= DE_QUIET;
433 
434  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
435  "(msg:\"Testing bytejump_body\"; "
436  "content:\"one\"; "
437  "isdataat:!4,relative; sid:1;)");
438  FAIL_IF(s == NULL);
439 
441 
443  DetectIsdataatData *data =
445 
449 
450  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
451  "(msg:\"Testing bytejump_body\"; "
452  "content:\"one\"; "
453  "isdataat: !4,relative; sid:2;)");
454  FAIL_IF(s == NULL);
455 
457 
460 
465 
466  PASS;
467 }
468 
469 /**
470  * \test DetectIsdataatTestPacket01 is a test to check matches of
471  * isdataat, and isdataat relative
472  */
473 static int DetectIsdataatTestPacket01 (void)
474 {
475  int result = 0;
476  uint8_t *buf = (uint8_t *)"Hi all!";
477  uint16_t buflen = strlen((char *)buf);
478  Packet *p[3];
479  p[0] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
480  p[1] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_UDP);
481  p[2] = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_ICMP);
482 
483  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
484  goto end;
485 
486  const char *sigs[5];
487  sigs[0]= "alert ip any any -> any any (msg:\"Testing window 1\"; isdataat:6; sid:1;)";
488  sigs[1]= "alert ip any any -> any any (msg:\"Testing window 2\"; content:\"all\"; isdataat:1, relative; isdataat:6; sid:2;)";
489  sigs[2]= "alert ip any any -> any any (msg:\"Testing window 3\"; isdataat:8; sid:3;)";
490  sigs[3]= "alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:5, relative; sid:4;)";
491  sigs[4]= "alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:6, relative; sid:5;)";
492 
493  uint32_t sid[5] = {1, 2, 3, 4, 5};
494 
495  uint32_t results[3][5] = {
496  /* packet 0 match sid 1 but should not match sid 2 */
497  {1, 1, 0, 1, 0},
498  /* packet 1 should not match */
499  {1, 1, 0, 1, 0},
500  /* packet 2 should not match */
501  {1, 1, 0, 1, 0} };
502 
503  result = UTHGenericTest(p, 3, sigs, sid, (uint32_t *) results, 5);
504 
505  UTHFreePackets(p, 3);
506 end:
507  return result;
508 }
509 
510 /**
511  * \test DetectIsdataatTestPacket02 is a test to check matches of
512  * isdataat, and isdataat relative works if the previous keyword is pcre
513  * (bug 144)
514  */
515 static int DetectIsdataatTestPacket02 (void)
516 {
517  int result = 0;
518  uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
519  "User-Agent: Wget/1.11.4"
520  "Accept: */*"
521  "Host: www.google.com"
522  "Connection: Keep-Alive"
523  "Date: Mon, 04 Jan 2010 17:29:39 GMT";
524  uint16_t buflen = strlen((char *)buf);
525  Packet *p;
526  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
527 
528  if (p == NULL)
529  goto end;
530 
531  char sig[] = "alert tcp any any -> any any (msg:\"pcre with"
532  " isdataat + relative\"; pcre:\"/A(ll|pp)WorkAndNoPlayMakesWillA"
533  "DullBoy/\"; isdataat:96,relative; sid:1;)";
534 
535  result = UTHPacketMatchSig(p, sig);
536 
537  UTHFreePacket(p);
538 end:
539  return result;
540 }
541 
542 /**
543  * \test DetectIsdataatTestPacket03 is a test to check matches of
544  * isdataat, and isdataat relative works if the previous keyword is byte_jump
545  * (bug 146)
546  */
547 static int DetectIsdataatTestPacket03 (void)
548 {
549  int result = 0;
550  uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
551  "User-Agent: Wget/1.11.4"
552  "Accept: */*"
553  "Host: www.google.com"
554  "Connection: Keep-Alive"
555  "Date: Mon, 04 Jan 2010 17:29:39 GMT";
556  uint16_t buflen = strlen((char *)buf);
557  Packet *p;
558  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
559 
560  if (p == NULL)
561  goto end;
562 
563  char sig[] = "alert tcp any any -> any any (msg:\"byte_jump match = 0 "
564  "with distance content HTTP/1. relative against HTTP/1.0\"; byte_jump:1,"
565  "46,string,dec; isdataat:87,relative; sid:109; rev:1;)";
566 
567  result = UTHPacketMatchSig(p, sig);
568 
569  UTHFreePacket(p);
570 end:
571  return result;
572 }
573 
574 /**
575  * \brief this function registers unit tests for DetectIsdataat
576  */
577 void DetectIsdataatRegisterTests(void)
578 {
579  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
580 
581  UtRegisterTest("DetectIsdataatTestParse01", DetectIsdataatTestParse01);
582  UtRegisterTest("DetectIsdataatTestParse02", DetectIsdataatTestParse02);
583  UtRegisterTest("DetectIsdataatTestParse03", DetectIsdataatTestParse03);
584  UtRegisterTest("DetectIsdataatTestParse04", DetectIsdataatTestParse04);
585  UtRegisterTest("DetectIsdataatTestParse06", DetectIsdataatTestParse06);
586 
587  UtRegisterTest("DetectIsdataatTestPacket01", DetectIsdataatTestPacket01);
588  UtRegisterTest("DetectIsdataatTestPacket02", DetectIsdataatTestPacket02);
589  UtRegisterTest("DetectIsdataatTestPacket03", DetectIsdataatTestPacket03);
590 }
591 #endif
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1288
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1704
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:110
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:567
SigTableElmt_::desc
const char * desc
Definition: detect.h:1287
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1275
DetectIsdataatSetup
int DetectIsdataatSetup(DetectEngineCtx *, Signature *, const char *)
This function is used to add the parsed isdataatdata into the current signature.
Definition: detect-isdataat.c:212
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1285
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:569
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:76
ISDATAAT_OFFSET_VAR
#define ISDATAAT_OFFSET_VAR
Definition: detect-isdataat.h:30
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:1595
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:34
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
detect-isdataat.h
results
struct DetectRfbSecresult_ results[]
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1279
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:827
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2592
DE_QUIET
#define DE_QUIET
Definition: detect.h:315
UTHPacketMatchSig
int UTHPacketMatchSig(Packet *p, const char *sig)
Definition: util-unittest-helper.c:843
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
DetectIsdataatData_
Definition: detect-isdataat.h:32
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2629
DetectContentData_
Definition: detect-content.h:93
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:48
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2575
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine.c:1453
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1270
detect-pcre.h
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our isdataat options.
Definition: detect-isdataat.c:52
DetectByteIndexType
uint8_t DetectByteIndexType
Definition: detect-byte.h:28
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1124
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_CONTENT_ENDS_WITH
#define DETECT_CONTENT_ENDS_WITH
Definition: detect-content.h:42
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2753
SignatureInitData_::list
int list
Definition: detect.h:551
detect.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:344
Packet_
Definition: decode.h:430
detect-engine-build.h
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:654
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1253
detect-byte.h
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:322
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:64
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:336
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:135
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:75
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectByteRetrieveSMVar
bool DetectByteRetrieveSMVar(const char *arg, const Signature *s, DetectByteIndexType *index)
Used to retrieve args from BM.
Definition: detect-byte.c:39
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:342
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1356
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
UTHGenericTest
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perform a generic check taking care of as maximum common unittest eleme...
Definition: util-unittest-helper.c:604
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:788
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:178
detect-parse.h
Signature_
Signature container.
Definition: detect.h:582
SigMatch_
a single match condition for a signature
Definition: detect.h:341
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:33
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2553
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:35
DetectPcreData_
Definition: detect-pcre.h:43
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:77
detect-uricontent.h
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1467
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:587
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:829
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1480
flow.h
DETECT_ENDS_WITH
@ DETECT_ENDS_WITH
Definition: detect-engine-register.h:67
flow-var.h
DetectIsdataatFree
void DetectIsdataatFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectIsdataatData
Definition: detect-isdataat.c:316
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1277
DetectIsdataatRegister
void DetectIsdataatRegister(void)
Registration function for isdataat: keyword.
Definition: detect-isdataat.c:67
app-layer.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468